<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Java Client and security | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'java-clients.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/java-clients.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/java-clients.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/java-clients.html" rel="nofollow" target="_blank">../en/java-clients.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="ccs-clients-integrations.html">Cross cluster search, clients, and integrations</a></span>
»
<span class="breadcrumb-node">Java Client and security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="cross-cluster-configuring.html">« Cross cluster search and security</a>
</span>
<span class="next">
<a href="http-clients.html">HTTP/REST clients and security »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="java-clients"></a>Java Client and security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h2>
</div></div></div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<h3>Deprecated in 7.0.0.</h3>
<p>The <code class="literal">TransportClient</code> is deprecated in favour of the <a href="https://www.elastic.co/guide/en/elasticsearch/client/java-rest/7.7/java-rest-high.html" class="ulink" target="_top">Java High Level REST Client</a> and will be removed in Elasticsearch 8.0. The <a href="https://www.elastic.co/guide/en/elasticsearch/client/java-rest/7.7/java-rest-high-level-migration.html" class="ulink" target="_top">migration guide</a> describes all the steps needed to migrate.</p>
</div>
</div>
<p>The Elasticsearch security features support the Java <a href="http://www.elastic.co/guide/en/elasticsearch/client/java-api/current/transport-client.html" class="ulink" target="_top">transport client</a> for Elasticsearch.
The transport client uses the same transport protocol that the cluster nodes use
for inter-node communication. It is very efficient as it does not have to marshall
and unmarshall JSON requests like a typical REST client.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Using the Java Node Client with secured clusters is not recommended or
      supported.</p>
</div>
</div>
<h4>
<a id="transport-client"></a>Configuring the Transport Client to work with a Secured Cluster<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h4>
<p>To use the transport client with a secured cluster, you need to:</p>
<div id="java-transport-client-role" class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<a href="setup-xpack-client.html" class="ulink" target="_top">Configure the X-Pack transport client</a>.
</li>
<li class="listitem">
Configure a user with the privileges required to start the transport client.
A default <code class="literal">transport_client</code> role is built-in to the Elasticsearch security features,
which grants the
appropriate cluster permissions for the transport client to work with the secured
cluster. The transport client uses the <em>Nodes Info API</em> to fetch information about
the nodes in the cluster.
</li>
<li class="listitem">
<p>Set up the transport client. At a minimum, you must configure <code class="literal">xpack.security.user</code> to
include the name and password of your transport client user in your requests. The
following snippet configures the user credentials globally—​every request
submitted with this client includes the <code class="literal">transport_client_user</code> credentials in
its headers.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        ...
        .build())
    .addTransportAddress(new TransportAddress("localhost", 9300))
    .addTransportAddress(new TransportAddress("localhost", 9301));</pre>
</div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you configure a transport client without SSL, passwords are sent in
          clear text.</p>
</div>
</div>
<p>You can also add an <code class="literal">Authorization</code> header to each request. If you’ve configured
global authorization credentials, the <code class="literal">Authorization</code> header overrides the global
authentication credentials. This is useful when an application has multiple users
who access Elasticsearch using the same client. You can set the global token to
a user that only has the <code class="literal">transport_client</code> role, and add the <code class="literal">transport_client</code>
role to the individual users.</p>
<p>For example, the following snippet adds the <code class="literal">Authorization</code> header to a search
request:</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;

import static UsernamePasswordToken.basicAuthHeaderValue;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        ...
        .build())
    .build()
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))

String token = basicAuthHeaderValue("test_user", new SecureString("x-pack-test-password".toCharArray()));

client.filterWithHeader(Collections.singletonMap("Authorization", token))
    .prepareSearch().get();</pre>
</div>
</li>
<li class="listitem">
<p>Enable SSL to authenticate clients and encrypt communications. To enable SSL,
you need to:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Configure the paths to the client’s key and certificate in addition to the certificate authorities.
Client authentication requires every client to have a certification signed by a trusted CA.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Client authentication is enabled by default. For information about
      disabling client authentication, see <a class="xref" href="java-clients.html#disabling-client-auth" title="Disabling client authentication">Disabling Client Authentication</a>.</p>
</div>
</div>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.enabled", true)
        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        ...
        .build());</pre>
</div>
</li>
<li class="listitem">
<p>Enable the SSL transport by setting <code class="literal">xpack.security.transport.ssl.enabled</code> to <code class="literal">true</code> in the
client configuration.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.enabled", true)
        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        .put("xpack.security.transport.ssl.enabled", "true")
        ...
        .build())
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))</pre>
</div>
</li>
</ol>
</div>
</li>
</ol>
</div>
<h5>
<a id="disabling-client-auth"></a>Disabling client authentication<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h5>
<p>If you want to disable client authentication, you can use a client-specific
transport protocol. For more information see <a class="xref" href="separating-node-client-traffic.html" title="Separating node-to-node and client traffic">Separating Node to Node and Client Traffic</a>.</p>
<p>If you are not using client authentication and sign the Elasticsearch node
certificates with your own CA, you need to provide the path to the CA
certificate in your client configuration.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "test_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        .put("xpack.security.transport.ssl.enabled", "true")
        ...
        .build())
    .addTransportAddress(new TransportAddress("localhost", 9300))
    .addTransportAddress(new TransportAddress("localhost", 9301));</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you are using a public CA that is already trusted by the Java runtime,
      you do not need to set the <code class="literal">xpack.security.transport.ssl.certificate_authorities</code>.</p>
</div>
</div>
<h5>
<a id="connecting-anonymously"></a>Connecting anonymously<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h5>
<p>To enable the transport client to connect anonymously, you must assign the
anonymous user the privileges defined in the <a class="xref" href="java-clients.html#java-transport-client-role">transport_client</a>
role. Anonymous access must also be enabled, of course. For more information,
see <a class="xref" href="anonymous-access.html" title="Enabling anonymous access">Enabling Anonymous Access</a>.</p>
<h4>
<a id="security-client"></a>Security client<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h4>
<p>The Elastic Stack security features expose an API through the <code class="literal">SecurityClient</code> class.
To get a hold of a <code class="literal">SecurityClient</code> you first need to create the <code class="literal">XPackClient</code>,
which is a wrapper around the existing Elasticsearch clients (any client class implementing
<code class="literal">org.elasticsearch.client.Client</code>).</p>
<p>The following example shows how you can clear the realm caches using
the <code class="literal">SecurityClient</code>:</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">Client client = ... // create the transport client

XPackClient xpackClient = new XPackClient(client);
SecurityClient securityClient = xpackClient.security();
ClearRealmCacheResponse response = securityClient.authc().prepareClearRealmCache()
    .realms("ldap1", "ad1") <a id="CO494-2"></a><i class="conum" data-value="1"></i>
    .usernames("rdeniro")
    .get();</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO494-1"><i class="conum" data-value="1"></i></a><a href="#CO494-2"></a></p>
</td>
<td align="left" valign="top">
<p>Clears the <code class="literal">ldap1</code> and <code class="literal">ad1</code> realm caches for the <code class="literal">rdeniro</code> user.</p>
</td>
</tr>
</table>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="cross-cluster-configuring.html">« Cross cluster search and security</a>
</span>
<span class="next">
<a href="http-clients.html">HTTP/REST clients and security »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>